Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update keycloakVersion to v26 (major) #6

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jan 7, 2022

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
org.keycloak:keycloak-server-spi (source) 12.0.4 -> 26.0.7 age adoption passing confidence
org.keycloak:keycloak-server-spi-private (source) 12.0.4 -> 26.0.7 age adoption passing confidence
org.keycloak:keycloak-services (source) 12.0.4 -> 26.0.7 age adoption passing confidence
org.keycloak:keycloak-core (source) 12.0.4 -> 26.0.7 age adoption passing confidence

Release Notes

keycloak/keycloak (org.keycloak:keycloak-server-spi)

v26.0.7

Compare Source

v26.0.6

Compare Source

Highlights

Admin events might include now additional details about the context when the event is fired

In this release, admin events might hold additional details about the context when the event is fired. When upgrading you should expect the database schema being updated to add a new column DETAILS_JSON to the ADMIN_EVENT_ENTITY table.

Updates to documentation of X.509 client certificate lookup via proxy

Potential vulnerable configurations have been identified in the X.509 client certificate lookup when using a reverse proxy. Additional configuration steps might be required depending on your current configuration. Make sure to review the updated reverse proxy guide if you have configured the client certificate lookup via a proxy header.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

  • #​34315 Update the Keycloak CPU and Memory sizing guide to reflect the new ec2 workder nodes
  • #​34386 Some dynamic imported functions are also statically imported making bundling them in-efficient
  • #​34570 Make documentation more clear that keycloak javascript adapter and node.js adapter are OIDC docs
  • #​34855 Add conditional text to Installation Locations
  • #​34873 Update Leveraging JaKarta EE in Server Development guide
  • #​34887 Apply QE edits to High Availability guide

Bugs

  • #​609 Workflow failure - Jakarta - SAMLServiceProviderTest.testAccessAccountManagement
  • #​11008 Incorrect get the members of a group imported from LDAP ldap
  • #​17593 Incorrect ldap-group-mapper chosen to sync changes to ActiveDirectory when several mappers with varying group paths used ldap
  • #​19652 Members are inhereted from LDAP group with the same name ldap
  • #​23732 JavascriptAdapterTest errors when running with strict cookies on Firefox ci
  • #​27856 Social login - Stack Overflow test fails ci
  • #​31456 Enabling/Disabling user does not work with Microsoft AD LDAP via Admin API/UI ldap
  • #​32786 Organization Domain not marked as a required field in the Admin UI admin/ui
  • #​33531 Previously entered translations should persist in the translation dialog for the attribute groups admin/ui
  • #​34013 Add More Info to Organization Events organizations
  • #​34065 Users without `view-realm` can't see user lockout state in Admin UI admin/ui
  • #​34201 OIDC IdP Unable to validate signatures using validatingPublicKey certificate admin/ui
  • #​34335 NPE in Organization(s)Resource when using Quarkus Rest Client admin/api
  • #​34401 Incorrect Content-Type Expectation for POST /admin/realms/{realm}/organizations/{id}/members in Keycloak API admin/api
  • #​34465 Missing help icons in Webauthn Policy and Webauthn Passwordless Policy missing in admin ui admin/ui
  • #​34519 Clicking on link to Keycloak documentation from Keycloak admin UI does nothing instead of opening documentation admin/ui
  • #​34549 Quarkus dev mode does not work dist/quarkus
  • #​34572 Text in "Choose a policy type" is not wrapping admin/ui
  • #​34603 NPE in InfinispanOrganizationProvider if userCache is disabled infinispan
  • #​34624 Securing apps guide breaks downstream docs
  • #​34634 Missing downstream explicit name for anchors docs
  • #​34644 KC_CACHE_EMBEDDED_MTLS_ENABLED is ignored infinispan
  • #​34671 `ClientConnection.getRemoteAddr` can return a hostname when behind a reverse proxy core
  • #​34687 New credential templates broken in KC26 login/ui
  • #​34905 [Keycloak CI] Outdated surefire artifacts names - Quarkus IT and UT ci
  • #​35213 CVE-2024-10451 Sensitive Data Exposure in Keycloak Build Process
  • #​35214 CVE-2024-10270 Potential Denial of Service
  • #​35215 CVE-2024-10492 Keycloak path trasversal
  • #​35216 CVE-2024-9666 Keycloak proxy header handling Denial-of-Service (DoS) vulnerability
  • #​35217 CVE-2024-10039 Bypassing mTLS validation

v26.0.5

Compare Source

Highlights

LDAP users are created as enabled by default when using Microsoft Active Directory

If you are using Microsoft AD and creating users through the administrative interfaces, the user will created as enabled by default.

In previous versions, it was only possible to update the user status after setting a (non-temporary) password to the user. This behavior was not consistent with other built-in user storages as well as not consistent with others LDAP vendors supported by the LDAP provider.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Bugs

  • #​31415 Selection list does not close after outside click admin/ui
  • #​33607 Fix v2 login layout login/ui
  • #​33618 No message for `policyGroupsHelp` admin/ui
  • #​33640 Customizable footer (Keycloak 26) not displaying in keycloak.v2 login theme login/ui
  • #​34301 Remove inaccurate statement about master realm imports docs
  • #​34450 [26.0.2] Migration from 25.0.1 Identity Provider Errors identity-brokering
  • #​34467 Do not rely on the `pwdLastSet` attribute when updating AD entries ldap

v26.0.4

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

  • #​34284 Keycloak-admin-client should work with the future versions of Keycloak server admin/client-java
  • #​34382 Make the organization chapter of Server Admin guide available on downstream

Bugs

  • #​14562 Broken Promise implementation for AuthZ JS adapter/javascript
  • #​25917 Allow increasing wait time on each failure after the max number of failures is reached authentication
  • #​33627 ClassNotFoundException OracleXADataSource/OracleDataSource using IDELauncher with Keycloak 26.0.0 dist/quarkus
  • #​33731 Client Scope updates are not replicated on a distributed keycloak setup in kubernetes admin/api
  • #​33798 CVE-2021-44549 - org.eclipse.angus/angus-mail: Enabling Secure Server Identity Checks for Safer SMTPS Communication dist/quarkus
  • #​33987 keycloak.v2 registration: Password policy validation error "errorList is null" login/ui
  • #​34042 LDAP Pagination not working for role membership in GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE strategy ldap
  • #​34050 Listing federated LDAP users is very slow with import enabled ldap
  • #​34093 java.util.ConcurrentModificationException when process user sessions update infinispan
  • #​34412 LDAP: searching users with import disabled is slower since fix for 34050 ldap

v26.0.3

Compare Source

v26.0.2

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

  • #​32110 [Documentation] - Configuring trusted certificates - Fully specify truststore path dist/quarkus

Bugs

  • #​15635 oidc - JavaScript-Adapter LocalStorage#clearExpired does not clear all possible items adapter/javascript
  • #​19101 Uncaught (in promise): QuotaExceededError adapter/javascript
  • #​20287 When using `oidcProvider` config url (.well-known) it's not possible to use `silentCheckSsoRedirectUri` adapter/javascript
  • #​28978 some GUI validation check missing admin/ui
  • #​30832 Organization API not available from OpenAPI documentation admin/api
  • #​31724 Logout not working after removing Identity Provider of user identity-brokering
  • #​33072 Passkeys: Infinite (re-)loading loop on browsers with WebAuthn Conditional UI disabled authentication/webauthn
  • #​33844 Wrong documentation link in keycloak-js readme docs
  • #​33902 Not persisted config settings prevent server start dist/quarkus
  • #​33948 [PERF] OpenTelemetry is initialized even when disabled
  • #​33968 Not possible to close dialog boxes when clicking buttons or the close icon admin/ui
  • #​33991 Doc CI - broken links error docs
  • #​34009 grammatical error in "Managing Organizations" documentation docs
  • #​34015 Home URL for security-admin-console is broken admin/ui
  • #​34028 Custom keycloak login theme styles.css return error 404 login/ui
  • #​34049 Org Invite: `linkExpiration` template variable represents 54 years in minutes organizations
  • #​34063 Respect the locale set to a user when redering verify email pages user-profile
  • #​34069 Do not show domain match message in the identity-first login when no login hint is provided organizations
  • #​34075 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
  • #​34095 Keycloak 26.0.0/26.0.1 Import Issue: Multiple Realms Not Imported, Duplicated Realm Imported Instead import-export
  • #​34151 JS password validation doesn't work as intended with uppercase and lowercase minimum requirements login/ui
  • #​34155 cli options starting or ending with ; or containing ;; mangle the cli handling dist/quarkus
  • #​34224 Deleting a user leads to ISPN marshalling exception

v26.0.1

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

  • #​32152 Clarify the behaviour of multiple Operator versions installed in the same cluster operator
  • #​33275 Better logging when error happens during transaction commit storage

Bugs

  • #​8935 keycloak.js example from the documentation leads to error path adapter/javascript
  • #​19358 Issue with concurrent user & group delete, unable to cleanup resource server user-policy & group-policy authorization-services
  • #​31848 Repeated email verifications while logging in through IDP caused by email case sensitivity authentication
  • #​32266 LDAP Import: KERBEROS_PRINCIPAL not updated when UserPrincipal changes and user already exists ldap
  • #​32617 Nightly Cypress tests for the Admin Console are failing on Firefox admin/ui
  • #​32844 Login V2: Missing "dir" attributes login/ui
  • #​32847 Admin UI defaults to master realm even without permissions to it admin/ui
  • #​32962 Possible issue with unavailable CryptoIntegration when using keycloak-authz-client with private_key_jwt and ECDSA algorithm oidc
  • #​33513 Can get authorization code on a non verified user with some specific kc_action (AIA) oidc
  • #​33539 Keycloak In Docker: ERROR: Strict hostname resolution configured but no hostname setting provided docs
  • #​33549 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
  • #​33557 Unable to submit forms in Safari account/ui
  • #​33576 Broken links / anchors after KC26 release docs
  • #​33578 In imported realms, the ability to use environment variables has disappeared import-export
  • #​33585 Fix runaway asterisk formatting in TLS documentation docs
  • #​33638 Non-optimized start command gives erroneous warnings for runtime spi options dist/quarkus
  • #​33642 RTL not working on keycloak.v2 login template login/ui
  • #​33645 keycloak-js register broken: createRegisterUrl not awaited adapter/javascript
  • #​33699 Failure to redirect to organization IdP when the organization scope is included organizations
  • #​33735 Organizations section is shown in account console if organizations is not enabled for a realm. account/ui
  • #​33776 [Regression] 26.0.0 return empty "access: []" JWT for Docker-v2 Auth provider, resulting in "access denied" authentication
  • #​33777 Error when adding or removing a user from an organisation when there are 2 or more Keycloak servers in a cluster organizations
  • #​33780 Upgrade to 26 fails with 'ERROR: index "idx_us_sess_id_on_cl_sess" does not exist' core
  • #​33814 NPE when device representation cannot be parsed authentication
  • #​33817 NEP when Default Role is not present on CachedRealm infinispan
  • #​33874 [Keycloak CI] - AuroraDB IT - Error creating EC2 runner instance
  • #​33875 [Keycloak CI] - FIPS IT - Failed to fetch maven
  • #​33883 Auth not possible for auth session where user was enabled in the meantime authentication
  • #​33907 NPE thrown in whoami endpoint admin/ui
  • #​33967 password is a required field admin/ui

v26.0.0

Compare Source

Highlights

Organizations supported

Starting with Keycloak 26, the Organizations feature is fully supported.

Client libraries updates

Dedicated release cycle for the client libraries

From this release, some of the Keycloak client libraries will have release cycle independent of the Keycloak server release cycle. The 26.0.0 release may be the last one when the client libraries are released together with the Keycloak server. But from now on, the client libraries may be released at a different time than the Keycloak server.

The client libraries are these artifacts:

  • Java admin client - Maven artifact org.keycloak:keycloak-admin-client

  • Java authorization client - Maven artifact org.keycloak:keycloak-authz-client

  • Java policy enforcer - Maven artifact org.keycloak:keycloak-policy-enforcer

It is possible that in the future, some more libraries will be included.

The client libraries are supported with Java 8, so it is possible to use them with the client applications deployed on the older application servers.

Compatibility of the client libraries with the server

Beginning with this release, we are testing and supporting client libraries with the same server version and a few previous major server versions.

For details about supported versions of client libraries with server versions, see the Upgrading Guide.

User sessions persisted by default

Keycloak 25 introduced the feature persistent-user-sessions. With this feature enabled all user sessions are persisted in the database as opposed to the previous behavior where only offline sessions were persisted. In Keycloak 26, this feature is enabled by default. This means that all user sessions are persisted in the database by default.

It is possible to revert this behavior to the previous state by disabling the feature. Follow the Volatile user sessions section in Configuring distributed caches guide for more details.

For information on how to upgrade, see the Upgrading Guide.

New default login theme

There is now a new version (v2) of the keycloak login theme, which provides an improved look and feel, including support for switching automatically to a dark theme based on user preferences.

The previous version (v1) is now deprecated, and will be removed in a future release.

For all new realms, keycloak.v2 will be the default login theme. Also, any existing realm that never explicitly set a login theme will be switched to keycloak.v2.

Highly available multi-site deployments

Keycloak 26 introduces significant improvements to the recommended HA multi-site architecture, most notably:

  • Keycloak deployments are now able to handle user requests simultaneously in both sites.

  • Active monitoring of the connectivity between the sites is now required to update the replication between the sites in case of a failure.

  • The loadbalancer blueprint has been updated to use the AWS Global Accelerator as this avoids prolonged fail-over times caused by DNS caching by clients.

  • Persistent user sessions are now a requirement of the architecture. Consequently, user sessions will be kept on Keycloak or Infinispan upgrades.

For information on how to migrate, see the Upgrading Guide.

Admin Bootstrapping and Recovery

In the past, regaining access to a Keycloak instance when all admin users were locked out was a challenging and complex process. Recognizing these challenges and aiming to significantly enhance the user experience, Keycloak now offers several straightforward methods to bootstrap a temporary admin account and recover lost admin access.

It is now possible to run the start or start-dev commands with specific options to create a temporary admin account. Additionally, a new dedicated command has been introduced, which allows users to regain admin access without hassle.

For detailed instructions and more information on this topic, refer to the Admin Bootstrap and Recovery guide.

OpenTelemetry Tracing preview

The underlying Quarkus support for OpenTelemetry Tracing has been exposed to Keycloak and allows obtaining application traces for better observability. It helps to find performance bottlenecks, determine the cause of application failures, trace a request through the distributed system, and much more. The support is in preview mode, and we would be happy to obtain any feedback.

For more information, see the Enabling Tracing guide.

OpenID for Verifiable Credential Issuance

The OpenID for Verifiable Credential Issuance (OID4VCI) is still an experimental feature in Keycloak, but it was greatly improved in this release. You will find significant development and discussions in the Keycloak OAuth SIG. Anyone from the Keycloak community is welcome to join.

Many thanks to all members of the OAuth SIG group for the participation on the development and discussions about this feature. Especially thanks to the Francis Pouatcha, Pascal Knüppel, Takashi Norimatsu, Ingrid Kamga, Stefan Wiedemann and Thomas Darimont

DPoP improvements

The DPoP (OAuth 2.0 Demonstrating Proof-of-Possession) preview feature has improvements. The DPoP is now supported for all grant types. With previous releases, this feature was supported only for the authorization_code grant type. Support also exists for the DPoP token type on the UserInfo endpoint.

Many thanks to Pascal Knüppel for the contribution.

Removal of GELF logging handler

GELF support has been deprecated for a while now, and with this release it has been finally removed from Keycloak. Other log handlers are available and fully supported to be used as a replacement of GELF, for example Syslog. For details see the Logging guide.

Lightweight access tokens for Admin REST API

Lightweight access tokens can now be used on the admin REST API. The security-admin-console and admin-cli clients are now using lightweight access tokens by default, so “Always Use Lightweight Access Token” and “Full Scope Allowed” are now enabled on these two clients. However, the behavior in the admin console should effectively remain the same. Be cautious if you have made changes to these two clients and if you are using them for other purposes.

Keycloak JavaScript adapter now standalone

Keycloak JavaScript adapter is now a standalone library and is therefore no longer served statically from the Keycloak server. The goal is to de-couple the library from the Keycloak server, so that it can be refactored independently, simplifying the code and making it easier to maintain in the future. Additionally, the library is now free of third-party dependencies, which makes it more lightweight and easier to use in different environments.

For a complete breakdown of the changes consult the Upgrading Guide.

Hostname v1 feature removed

The deprecated hostname v1 feature was removed. This feature was deprecated in Keycloak 25 and replaced by hostname v2. If you are still using this feature, you must migrate to hostname v2. For more details, see the Configuring the hostname (v2) and the initial migration guide.

Automatic redirect from root to relative path

User is automatically redirected to the path where Keycloak is hosted when the http-relative-path property is specified. It means when the relative path is set to /auth, and the user access localhost:8080/, the page is redirected to localhost:8080/auth.

The same applies to the management interface when the http-management-relative-path or http-relative-path property is specified.

It improves user experience as users no longer need to set the relative path to the URL explicitly.

Persisting revoked access tokens across restarts

In this release, revoked access tokens are written to the database and reloaded when the cluster is restarted by default when using the embedded caches.

For information on how to migrate, see the Upgrading Guide.

Client Attribute condition in Client Policies

The condition based on the client-attribute was added into Client Policies. You can use condition to specify for the clients with the specified client attribute having a specified value. It is possible to use either an AND or OR condition when evaluating this condition as mentioned in the documentation for client policies.

Many thanks to Yoshiyuki Tabata for the contribution.

Specify different log levels for log handlers

It is possible to specify log levels for all available log handlers, such as console, file, or syslog. The more fine-grained approach provides the ability to control logging over the whole application and be tailored to your needs.

For more information, see the Logging guide.

Proxy option removed

The deprecated proxy option was removed. This option was deprecated in Keycloak 24 and replaced by the proxy-headers option in combination with hostname options as needed. For more details, see using a reverse proxy and the initial migration guide.

Option proxy-trusted-addresses added

The proxy-trusted-addresses can be used when the proxy-headers option is set to specify a allowlist of trusted proxy addresses. If the proxy address for a given request is not trusted, then the respective proxy header values will not be used.

Option proxy-protocol-enabled added

The proxy-protocol-enabled option controls whether the server should use the HA PROXY protocol when serving requests from behind a proxy. When set to true, the remote address returned will be the one from the actual connecting client.

Option to reload trust and key material added

The https-certificates-reload-period option can be set to define the reloading period of key store, trust store, and certificate files referenced by https-* options. Use -1 to disable reloading. Defaults to 1h (one hour).

Options to configure cache max-count added

The --cache-embedded-${CACHE_NAME}-max-count= can be set to define an upper bound on the number of cache entries in the specified cache.

The https-trust-store-* options have been undeprecated

Based on the community feedback, we decided to undeprecate https-trust-store-* options to allow better granularity in trusted certificates.

The java-keystore key provider supports more algorithms and vault secrets

The java-keystore key provider, which allows loading a realm key from an external java keystore file, has been modified to manage all Keycloak algorithms. Besides, the keystore and key secrets, needed to retrieve the actual key from the store, can be configured using the vault. Therefore a Keycloak realm can externalize any key to the encrypted file without sensitive data stored in the database.

For more information about this subject, see Configuring realm keys.

Adding support for ECDH-ES encryption key management algorithms

Now Keycloak allows configuring ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW or ECDH-ES+A256KW as the encryption key management algorithm for clients. The Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) specification introduces three new header parameters for the JWT: epk, apu and apv. Currently Keycloak implementation only manages the compulsory epk while the other two (which are optional) are never added to the header. For more information about those algorithms please refer to the JSON Web Algorithms (JWA).

Also, a new key provider, ecdh-generated, is available to generate realm keys and support for ECDH algorithms is added into the Java KeyStore provider.

Many thanks to Justin Tay for the contribution.

Support for multiple instances of a social broker in a realm

It is now possible to have multiple instances of the same social broker in a realm.

Most of the time a realm does not need multiple instances of the same social broker. But due to the introduction of the organization feature, it should be possible to link different instances of the same social broker to different organizations.

When creating a social broker, you should now provide an Alias and optionally a Display name just like any other broker.

New generalized event types for credentials

There are now generalized events for updating (UPDATE_CREDENTIAL) and removing (REMOVE_CREDENTIAL) a credential. The credential type is described in the credential_type attribute of the events. The new event types are supported by the Email Event Listener.

The following event types are now deprecated and will be removed in a future version: UPDATE_PASSWORD, UPDATE_PASSWORD_ERROR, UPDATE_TOTP, UPDATE_TOTP_ERROR, REMOVE_TOTP, REMOVE_TOTP_ERROR

The template.ftl file in the base/login and the keycloak.v2/login theme now allows to customize the footer of the login box. This can be used to show common links or include custom scripts at the end of the page.

The new footer.ftl template provides a content macro that is rendered at the bottom of the "login box".

Keycloak CR supports standard scheduling options

The Keycloak CR now exposes first class properties for controlling the scheduling of your Keycloak Pods.

For more details, see the Operator Advanced Configuration.

KeycloakRealmImport CR supports placeholder replacement

The KeycloakRealmImport CR now exposes spec.placeholders to create environment variables for placeholder replacement in the import.

For more details, see the Operator Realm Import.

Configuring the LDAP Connection Pool

In this release, the LDAP connection pool configuration relies solely on system properties.

For more details, see Configuring the connection pool.

Infinispan marshalling changes to Infinispan Protostream

Marshalling is the process of converting Java objects into bytes to send them across the network between Keycloak servers. With Keycloak 26, we changed the marshalling format from JBoss Marshalling to Infinispan Protostream.

Warning
JBoss Marshalling and Infinispan Protostream are not compatible with each other and incorrect usage may lead to data loss. Consequently, all caches are cleared when upgrading to this version.

Infinispan Protostream is based on Protocol Buffers (proto 3), which has the advantage of backwards/forwards compatibility.

Removal of OSGi metadata

Since all of the Java adapters that used OSGi metadata have been removed we have stopped generating OSGi metadata for our jars.

With the goal of improving the scalability of groups, they are now removed directly from the database when removing a realm. As a consequence, group-related events like the GroupRemovedEvent are no longer fired when removing a realm.

For information on how to migrate, see the Upgrading Guide.

Identity Providers no longer available from the realm representation

As part of the improvements around the scalability of realms and organizations when they have many identity providers, the realm representation no longer holds the list of identity providers. However, they are still available from the realm representation when exporting a realm.

For information on how to migrate, see the Upgrading Guide.

Securing Applications documentation converted into the guide format

The Securing Applications and Services documentation was converted into the new format similar to the Server Installation and Configuration documentation converted in the previous releases. The documentation is now available under Keycloak Guides.

Removal of legacy cookies

Keycloak no longer sends _LEGACY cookies, which where introduced as a work-around to older browsers not supporting the SameSite flag on cookies.

The _LEGACY cookies also served another purpose, which was to allow login from an insecure context. Although, this is not recommended at all in production deployments of Keycloak, it is fairly frequent to access Keycloak over http outside of localhost. As an alternative to the _LEGACY cookies Keycloak now doesn&#​8217;t set the secure flag and sets SameSite=Lax instead of SameSite=None when it detects an insecure context is used.

Property origin in the UserRepresentation is deprecated

The origin property in the UserRepresentation is deprecated and planned to be removed in future releases.

Instead, prefer using the federationLink property to obtain the provider to which a user is linked with.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Deprecated features

  • #​600 De-couple quickstarts from statically served Keycloak JS quickstarts

New features

  • #​20342 Duplicate groups in the admin console of Keycloak admin/ui
  • #​26178 Support dark mode, at least for the login pages login/ui
  • #​29324 Bootstrapping an admin user using a dedicated command dist/quarkus
  • #​29755 Support AES and HMAC Key-Imports for the JavaKeystoreKeyProvider
  • #​30002 Bootstrapping an admin service account using a dedicated command dist/quarkus
  • #​30009 Warnings for temporary admin user and service account core
  • #​30011 Document admin bootstrapping and recovery docs
  • #​30682 Group assignment: Display disabled information from user admin/ui
  • #​30795 Initiate create events if ClientScopes are created
  • #​31421 Add Events for Organization Creation and Member Assignment organizations
  • #​31642 Include organization attributes and information in ID and access tokens organizations
  • #​31643 Implement invitation-only self-registration for realm users organizations
  • #​32030 Retry remote cache operations with back off
  • #​32135 Option to specify trusted proxies dist/quarkus
  • #​32553 Expose Password Policies in FreeMarker Context for Login Themes

Enhancements

  • #​583 Update dependency on keycloak-client in main branch to 999.0.0-SNAPSHOT quickstarts
  • #​10114 Specific events for webauthn register authentication/webauthn
  • #​10492 Support proxy_protocol
  • #​14073 SAML 2.0 HTTP-Artifact binding
  • #​15769 update or replace base64-js and js-sha256 adapter/javascript
  • #​16750 Google login - add prompt=select_account option core
  • #​19564 response_type none is oidc spec but ignored in the current implementation. oidc
  • #​19750 Use a proper FreeMarker template for the new consoles account/ui
  • Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/major-keycloakversion branch from deb4d3e to c8c5068 Compare January 26, 2022 08:44
@renovate renovate bot force-pushed the renovate/major-keycloakversion branch from c8c5068 to 94aac76 Compare February 11, 2022 21:02
@renovate renovate bot changed the title Update keycloakVersion to v16 (major) Update keycloakVersion to v17 (major) Feb 11, 2022
@renovate renovate bot changed the title Update keycloakVersion to v17 (major) Update keycloakVersion (major) Feb 12, 2022
@renovate renovate bot force-pushed the renovate/major-keycloakversion branch from 94aac76 to c33628b Compare February 12, 2022 02:25
@renovate renovate bot changed the title Update keycloakVersion (major) Update keycloakVersion to v16 (major) Feb 12, 2022
@renovate renovate bot force-pushed the renovate/major-keycloakversion branch from c33628b to 8a018a8 Compare February 12, 2022 08:51
@renovate renovate bot changed the title Update keycloakVersion to v16 (major) Update keycloakVersion (major) Feb 12, 2022
@renovate renovate bot changed the title Update keycloakVersion (major) Update keycloakVersion to v17 (major) Feb 12, 2022
@renovate renovate bot force-pushed the renovate/major-keycloakversion branch from 8a018a8 to 987abfa Compare March 23, 2022 08:53
@renovate renovate bot changed the title Update keycloakVersion to v17 (major) Update keycloakVersion (major) Mar 23, 2022
@renovate renovate bot changed the title Update keycloakVersion (major) Update keycloakVersion to v17 (major) Mar 24, 2022
@renovate renovate bot changed the title Update keycloakVersion to v17 (major) Update keycloakVersion to v18 (major) Apr 24, 2022
@renovate renovate bot force-pushed the renovate/major-keycloakversion branch from 987abfa to 1a75921 Compare April 24, 2022 20:15
@renovate renovate bot force-pushed the renovate/major-keycloakversion branch from 1a75921 to 48e0738 Compare June 18, 2022 15:56
@renovate renovate bot force-pushed the renovate/major-keycloakversion branch from 48e0738 to ecadea2 Compare September 25, 2022 14:37
@renovate renovate bot changed the title Update keycloakVersion to v18 (major) Update keycloakVersion to v19 (major) Sep 25, 2022
@renovate renovate bot force-pushed the renovate/major-keycloakversion branch from ecadea2 to 5467bef Compare November 20, 2022 13:52
@renovate renovate bot changed the title Update keycloakVersion to v19 (major) Update keycloakVersion to v20 (major) Nov 20, 2022
@renovate renovate bot force-pushed the renovate/major-keycloakversion branch from 5467bef to 3da4289 Compare March 16, 2023 17:49
@renovate renovate bot changed the title Update keycloakVersion to v20 (major) Update keycloakVersion to v21 (major) Mar 16, 2023
@renovate renovate bot force-pushed the renovate/major-keycloakversion branch from 3da4289 to 499db4c Compare March 30, 2023 17:18
@renovate renovate bot force-pushed the renovate/major-keycloakversion branch from 499db4c to 3d49f35 Compare May 28, 2023 10:23
@renovate renovate bot force-pushed the renovate/major-keycloakversion branch from 3d49f35 to d9452da Compare June 28, 2023 09:01
@renovate renovate bot force-pushed the renovate/major-keycloakversion branch from d9452da to b66babf Compare July 11, 2023 21:47
@renovate renovate bot changed the title Update keycloakVersion to v21 (major) Update keycloakVersion to v22 (major) Jul 11, 2023
@renovate renovate bot force-pushed the renovate/major-keycloakversion branch from b66babf to c17c5c4 Compare July 18, 2023 23:05
@renovate renovate bot force-pushed the renovate/major-keycloakversion branch 3 times, most recently from 0067f7c to 0116c74 Compare September 12, 2023 22:02
@renovate renovate bot force-pushed the renovate/major-keycloakversion branch from 15925c9 to a37ccd3 Compare January 8, 2024 14:43
@renovate renovate bot force-pushed the renovate/major-keycloakversion branch 2 times, most recently from d5575ca to 9508d77 Compare February 2, 2024 16:05
@renovate renovate bot force-pushed the renovate/major-keycloakversion branch from 9508d77 to eaf6244 Compare February 22, 2024 19:53
@renovate renovate bot changed the title Update keycloakVersion to v23 (major) Update keycloakVersion (major) Mar 4, 2024
@renovate renovate bot force-pushed the renovate/major-keycloakversion branch from eaf6244 to e01cf07 Compare March 4, 2024 16:31
@renovate renovate bot changed the title Update keycloakVersion (major) Update keycloakVersion to v24 (major) Mar 4, 2024
@renovate renovate bot force-pushed the renovate/major-keycloakversion branch from e01cf07 to ce0f48b Compare March 5, 2024 16:30
@renovate renovate bot force-pushed the renovate/major-keycloakversion branch from ce0f48b to e9cf99b Compare March 25, 2024 05:20
@renovate renovate bot force-pushed the renovate/major-keycloakversion branch from e9cf99b to bf92673 Compare April 17, 2024 04:41
@renovate renovate bot force-pushed the renovate/major-keycloakversion branch from bf92673 to 5983105 Compare May 8, 2024 17:34
@renovate renovate bot force-pushed the renovate/major-keycloakversion branch from 5983105 to e3c03ff Compare June 4, 2024 08:02
@renovate renovate bot changed the title Update keycloakVersion to v24 (major) Update keycloakVersion (major) Jun 10, 2024
@renovate renovate bot force-pushed the renovate/major-keycloakversion branch from e3c03ff to 79d406a Compare June 10, 2024 19:19
@renovate renovate bot changed the title Update keycloakVersion (major) Update keycloakVersion to v25 (major) Jun 10, 2024
@renovate renovate bot force-pushed the renovate/major-keycloakversion branch from 79d406a to 7b65c0c Compare June 20, 2024 19:42
@renovate renovate bot force-pushed the renovate/major-keycloakversion branch from 7b65c0c to 46ca8bd Compare July 18, 2024 09:41
@renovate renovate bot force-pushed the renovate/major-keycloakversion branch 2 times, most recently from 1756379 to 302d444 Compare August 19, 2024 10:44
@renovate renovate bot force-pushed the renovate/major-keycloakversion branch from 302d444 to f30a9d1 Compare September 10, 2024 08:27
@renovate renovate bot force-pushed the renovate/major-keycloakversion branch from f30a9d1 to 49f33ce Compare September 19, 2024 19:00
@renovate renovate bot force-pushed the renovate/major-keycloakversion branch from 49f33ce to 7fec182 Compare October 4, 2024 10:14
@renovate renovate bot changed the title Update keycloakVersion to v25 (major) Update keycloakVersion to v26 (major) Oct 4, 2024
@renovate renovate bot force-pushed the renovate/major-keycloakversion branch 2 times, most recently from 0afdb17 to 625fe2f Compare October 24, 2024 09:27
@renovate renovate bot force-pushed the renovate/major-keycloakversion branch 2 times, most recently from 42e479f to ee90f87 Compare November 1, 2024 09:53
@renovate renovate bot force-pushed the renovate/major-keycloakversion branch from ee90f87 to d2bd026 Compare November 22, 2024 07:14
@renovate renovate bot force-pushed the renovate/major-keycloakversion branch from d2bd026 to 8ba593a Compare December 3, 2024 10:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants